K
Q

Kubernetes Client Certificate (RKE managed)

4/19/2018

I'm currently deploying a K8S cluster through Rancher RKE using AWS EC2 virtual machines (with CentOS 7 and Docker 17.03.2-ce). Unfortunately after depolying K8S dashboard, I'm not been able to access it from external, through API SERVER (https://API-server-ip:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/). Service are up and running without problems:

NAMESPACE       NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)         AGE
default         kubernetes             ClusterIP   10.43.0.1       <none>        443/TCP         1h
ingress-nginx   default-http-backend   ClusterIP   10.43.76.101    <none>        80/TCP          1h
kube-system     kube-dns               ClusterIP   10.43.0.10      <none>        53/UDP,53/TCP   1h
kube-system     kubernetes-dashboard   ClusterIP   10.43.198.196   <none>        443/TCP         1h

I saw that PEM certificate have been already created within /etc/kubernetes/ssl of the API SERVER machine:

-rw-r--r--. 1 root root 1679 Apr 19 09:19 kube-apiserver-key.pem
-rw-r--r--. 1 root root 1302 Apr 19 09:19 kube-apiserver.pem
-rw-r--r--. 1 root root 1679 Apr 19 09:19 kube-ca-key.pem
-rw-r--r--. 1 root root 1017 Apr 19 09:19 kube-ca.pem
-rw-r--r--. 1 root root  493 Apr 19 09:19 kubecfg-kube-controller-manager.yaml
-rw-r--r--. 1 root root  437 Apr 19 09:19 kubecfg-kube-node.yaml
-rw-r--r--. 1 root root  441 Apr 19 09:19 kubecfg-kube-proxy.yaml
-rw-r--r--. 1 root root  457 Apr 19 09:19 kubecfg-kube-scheduler.yaml
-rw-r--r--. 1 root root 1675 Apr 19 09:19 kube-controller-manager-key.pem
-rw-r--r--. 1 root root 1062 Apr 19 09:19 kube-controller-manager.pem
-rw-r--r--. 1 root root 1679 Apr 19 09:19 kube-etcd-<...>-compute-amazonaws-com-key.pem
-rw-r--r--. 1 root root 1298 Apr 19 09:19 kube-etcd-<...>-us-east-2-compute-amazonaws-com.pem
-rw-r--r--. 1 root root 1679 Apr 19 09:19 kube-node-key.pem
-rw-r--r--. 1 root root 1070 Apr 19 09:19 kube-node.pem
-rw-r--r--. 1 root root 1675 Apr 19 09:19 kube-proxy-key.pem
-rw-r--r--. 1 root root 1046 Apr 19 09:19 kube-proxy.pem
-rw-r--r--. 1 root root 1675 Apr 19 09:19 kube-scheduler-key.pem
-rw-r--r--. 1 root root 1050 Apr 19 09:19 kube-scheduler.pem

I tried to use kube-apiserver-key.pem as key to generate a client certificate openssl req -new -key /etc/kubernetes/ssl/kube-apiserver-key.pem -out /tmp/user-cert.pem and eventually use it to access. Unfortunately the generated certificate is resulted to be in invalid format (I tried both to install on MacOS X and on SSL online validator.

Any help?

-- luke035
kubernetes
rancher
ssl

Similar Questions

test image from azure container registry
413 error with Kubernetes and Nginx ingress controller
How is the preemption notice handled?
expose kuberentes api to the rest of the network

1 Answer

4/20/2018

After several digging I managed to found a solution.

In the generate RKE kubeconfig generated file, both client-certificate-data and client-key-data are present as base64 encoded keys for kube-admin.

In order to use them in my client browser I had first to decode them for obtaining the respective certificate and key

echo '<KUBE_ADMIN_CLIENT_CERTIFICATE_DATA>' | base64 --decode > kube-admin-cert.pem

echo '<KUBE_ADMIN_CLIENT_KEY_DATA>' | base64 --decode > kube-admin-cert-key.pem

Once the certificates have been generated it's possibile to extract the correspondant .p12 certificate file

openssl pkcs12 -export -clcerts -inkey kube-admin-cert-key.pem -in kube-admin-cert.pem -out kube-admin-cert.p12

Eventually, once the p12 certificate has been installed in local client browser, it's possibile to authenticate successfully to the proxy api server.

-- luke035
Source: StackOverflow